It’s also important to note that
tcpdump only takes the first 68 bytes of data from a packet by default. If you would like to look at more, add the -s number option to the mix, where number is the number of bytes you want to capture. I usually give it 1514 (to get everything) if I use this option. Here’s a short list of the options I use most:
-i any: Listen on all interfaces just to see if you’re seeing any traffic.
-n: Don’t resolve hostnames.
-nn: Don’t resolve hostnames or port names.
-X: Show the packet’s contents in both hex and ASCII.
-v, -vv, -vvv: Increase the amount of packet information you get back.
-c: Only get x number of packets and then stop.
-S: Print absolute sequence numbers.
-e: Get the ethernet header as well.
-q: Show less protocol information.
So, based on the kind of traffic I’m looking for, I use a different combination of options to
tcpdump, as can be seen below:
tcpdump -nnvvXSs 1514
Expressions allow you to trim out various types of traffic and find exactly what you’re looking for. Mastering the expressions and learning to combine them creatively is what makes one truly powerful with
tcpdump. There are three main types of expression:
Type options are
port. Direction is indicated by
dir, and there you can have
src or dst, and
src and dst. Here are a few that you should definitely be comfortable with:
host// look for traffic based on IP address (also works with hostname if you’re not using -n)
tcpdump host 126.96.36.199
dst// find traffic from only a source or destination (eliminates one side of a host conversation)
tcpdump src 188.8.131.52
tcpdump dst 184.108.40.206
net// capture an entire network using CIDR notation
tcpdump net 220.127.116.11/24
proto// works for tcp, udp, and icmp. Note that you don’t have to type
port// see only traffic to or from a certain port
tcpdump port 3389
src, dst port// filter based on the source or destination port
tcpdump src port 1025
tcpdump dst port 3389
Expressions are nice, but the real magic of
tcpdump comes from the ability to combine them in creative ways in order to isolate exactly what you’re looking for. There are three ways to do combinations, and if you’ve studied computers at all they’ll be pretty familar to you:
TCP traffic from 10.5.2.3 destined for port 3389:
# tcpdump -nnvvS tcp and src 10.5.2.3 and dst port 3389
Traffic originating from the 192.168 network headed for the 10 or 172.16 networks:
# tcpdump -nvX src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16
Non-ICMP traffic destined for 192.168.0.2 from the 172.16 network:
# tcpdump -nvvXSs 1514 dst 192.168.0.2 and src net 172.16.0.0/16 and not icmp
Traffic originating from Mars or Pluto that isn’t to the SSH port: // requires name resolution
# tcpdump -vv src mars or pluto and not dst port 22
As you can see, you can build queries to find just about anything you need. The key is to first figure out precisely what you’re looking for and then to build the syntax to isolate that specific type of traffic.
Also keep in mind that when you’re building complex queries you might have to group your options using single quotes. Single quotes are used in order to tell
tcpdump to ignore certain special characters — in this case the “( )” brackets. This same technique can be used to group using other expressions such as
net, etc. Take a look at the command below:
Traffic that’s from 10.0.2.4 AND destined for ports 3389 or 22: // wrong
# tcpdump src 10.0.2.4 and (dst port 3389 or 22)
If you tried to run this otherwise very useful command, you’d get an error because of the parenthesis. You can either fix this by escaping the parenthesis (putting a \ before each one), or by putting the entire command within single quotes:
Traffic that’s from 10.0.2.4 AND destined for ports 3389 or 22: // correct
# tcpdump 'src 10.0.2.4 and (dst port 3389 or 22)'
You can also filter based on specific portions of a packet, as well as combine multiple conditions into groups. The former is useful when looking for only SYNs or RSTs, for example, and the latter for even more advanced traffic isolation.
Bad Behavior has blocked 62 access attempts in the last 7 days.